diff options
| author | Spencer Jackson <spencer.jackson@mongodb.com> | 2015-12-14 12:22:16 -0500 |
|---|---|---|
| committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2015-12-15 16:13:28 -0500 |
| commit | f99421466679478b8aba02344fa2c9b126946350 (patch) | |
| tree | 2c999bf3db12490351ba092d2ba6d234936f4e93 | |
| parent | 42ab40b9cc93c5a8f60acd80c6d5b423e2918958 (diff) | |
| download | mongo-f99421466679478b8aba02344fa2c9b126946350.tar.gz | |
SERVER-21724 Let backup role read system.profile
(cherry picked from commit 21bcf6b127c1bb24e74845327e8d20df26e560bc)
| -rw-r--r-- | jstests/auth/lib/commands_lib.js | 2 | ||||
| -rw-r--r-- | jstests/tool/dumpauth.js | 26 | ||||
| -rw-r--r-- | src/mongo/db/auth/role_graph_builtin_roles.cpp | 4 |
3 files changed, 28 insertions, 4 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index 8f427c680c5..9dbfe56bd6a 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -2031,6 +2031,7 @@ var authCommandsLib = { { runOnDb: firstDbName, roles: { + backup: 1, dbAdmin: 1, dbAdminAnyDatabase: 1, dbOwner: 1, @@ -2047,6 +2048,7 @@ var authCommandsLib = { { runOnDb: secondDbName, roles: { + backup: 1, dbAdminAnyDatabase: 1, clusterMonitor: 1, clusterAdmin: 1, diff --git a/jstests/tool/dumpauth.js b/jstests/tool/dumpauth.js index 17cf5c19de7..ba8ee9a5f81 100644 --- a/jstests/tool/dumpauth.js +++ b/jstests/tool/dumpauth.js @@ -4,6 +4,8 @@ var m = MongoRunner.runMongod({auth: "", bind_ip: "127.0.0.1"}); var dbName = "admin" var colName = "testcol" +var profileName = "system.profile" +var dumpDir = MongoRunner.dataPath + "jstests_tool_dumprestore_dump_system_profile/"; db = m.getDB(dbName); db.createUser({user: "testuser" , pwd: "testuser", roles: jsTest.adminUserRoles}); @@ -11,16 +13,32 @@ assert( db.auth( "testuser" , "testuser" ) , "auth failed" ); t = db[colName]; t.drop(); +profile = db[profileName]; +profile.drop(); +// Activate profiling, to ensure that system.profile can be dumped with the backup role +db.setProfilingLevel(2); + +// Populate the database for(var i = 0; i < 100; i++) { t.save({ "x": i }); } +assert.gt(profile.count(), 0, "admin.system.profile should have documents"); +assert.eq(t.count(), 100, "testcol should have documents"); + +// Create a user with backup permissions +db.createUser({user: "backup" , pwd: "password", roles: ["backup"]}); +// Backup the database with the backup user x = runMongoProgram( "mongodump", "--db", dbName, + "--out", dumpDir, "--authenticationDatabase=admin", - "-u", "testuser", - "-p", "testuser", - "-h", "127.0.0.1:"+m.port, - "--collection", colName); + "-u", "backup", + "-p", "password", + "-h", "127.0.0.1:"+m.port); assert.eq(x, 0, "mongodump should succeed with authentication"); + +// Assert that a BSON document for admin.system.profile has been produced +x = runMongoProgram( "bsondump", dumpDir + "/" + dbName + "/" + profileName + ".bson" ); +assert.eq(x, 0, "bsondump should succeed parsing the profile data"); diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index 94e3b157346..7d1c6178ecc 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -442,6 +442,10 @@ void addBackupPrivileges(PrivilegeVector* privileges) { Privilege::addPrivilegeToPrivilegeVector( privileges, + Privilege(ResourcePattern::forCollectionName("system.profile"), ActionType::find)); + + Privilege::addPrivilegeToPrivilegeVector( + privileges, Privilege( ResourcePattern::forExactNamespace(AuthorizationManager::usersAltCollectionNamespace), ActionType::find)); |